Peripheral component interconnect express device startup method and apparatus, and storage medium

ABSTRACT

A peripheral component interconnect express device startup method and apparatus, and a storage medium are provided, and pertain to the field of computer technologies. According to this method, a BIOS attempts to verify firmware of a PCIE device to determine whether the firmware of the PCIE device is tampered with. Moreover, the BIOS may only start up a PCIE device where firmware that succeeds in the verification is located. Therefore, a computer device is prevented from starting up a PCIE device of which firmware is tampered with, and a security risk caused by the PCIE device to the computer device is reduced.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of International Application No.PCT/CN2021/106710, filed on Jul. 16, 2021, which claims priority toChinese Patent Application No. 202010849505.0, filed on Aug. 21, 2020.The disclosures of the aforementioned applications are herebyincorporated by reference in their entireties.

TECHNICAL FIELD

This application relates to the field of computer technologies, and inparticular, to a peripheral component interconnect express devicestartup method and apparatus, and a storage medium.

BACKGROUND

With development of network technologies, a computer device has anincreasingly strict requirement on network security. To ensure networksecurity of the computer device, in a system initialization process, atrusted platform module (TPM) chip in the computer device attempts toverify some components in the computer device, and the computer devicestarts up a verified component.

Given an example of a computer device starting up a basic input/outputsystem ( ), at present, a process in which the computer device starts upthe BIOS is: in the system initialization process, the TPM chip readsfirmware (firmware) of the BIOS, and performs integrity verification onthe read firmware. If the verification for the read firmware succeeds,the firmware is not tampered with, and the computer device starts up theBIOS. If the verification for the read firmware fails, the firmware mayhave been tampered with, and the computer device does not start up theBIOS. In this way, a BIOS that has been tampered with is prevented frombeing started up.

However, the TPM chip may perform integrity verification only on somecomponents such as the BIOS and a baseboard management controller (BMC)in the computer device, but does not perform the integrity verificationon a peripheral component interconnect express (PCIE) device mounted tothe computer device. In this case, a PCIE device started up by thecomputer device is not necessarily secure. For example, malicious codemay have been implanted in the PCIE device. Subsequently, when anoperating system in the computer device communicates with the PCIEdevice into which the malicious code is implanted, the operating systemmay be attacked by the malicious code, thereby threatening security ofthe computer device. Therefore, to prevent a PCIE device fromthreatening the security of a computer device, a method for securelystarting up a PCIE device is urgently needed.

SUMMARY

Embodiments of this application provide a peripheral componentinterconnect express device startup method and apparatus, and a storagemedium, so that a PCIE device can be prevented from threatening securityof a computer device. The technical solution is as follows.

According to a first aspect, a peripheral component interconnect expressPCIE device startup method is provided, where the method includes:

an input/output system BIOS of the computer device obtains firmware ofthe PCIE device; the BIOS attempts to verify the firmware; and if theverification for the firmware succeeds, the BIOS starts up the PCIEdevice.

In the method, the BIOS attempts to verify the firmware of the PCIEdevice, to determine whether the firmware of the PCIE device is tamperedwith. The BIOS may start only a PCIE device where the firmware thatsucceeds in the verification is located. In this way, a computer deviceis prevented from starting up a PCIE device of which firmware istampered with, and a security risk caused by the PCIE device to thecomputer device is reduced.

In a possible implementation, the method further includes:

if the verification for the firmware fails, the BIOS skips starting upthe PCIE device.

Based on the foregoing possible implementation, the PCIE device of whichthe firmware fails to be verified is not started up, so that thecomputer device is prevented from starting up a PCIE device of whichfirmware is tampered with. In this way, a security risk caused by thePCIE device to the computer device is reduced.

In a possible implementation, that the BIOS skips starting up the PCIEdevice includes:

the BIOS controls the PCIE device to be in a reset state or a power-offstate; or

the BIOS marks the PCIE device as a startup disabled state, where thestartup disabled state is used to indicate to skip starting up the PCIEdevice.

Based on the foregoing possible implementation, the BIOS controls thePCIE device of which the firmware fails to be verified to be in a resetstate or a power-off state, or marks a PCIE device where the firmwarefailing to be verified is located as a startup disabled state, so thatthe PCIE device of which the firmware fails to be verified is completelyblocked.

In a possible implementation, that an input/output system BIOS of thecomputer device obtains firmware of the PCIE device includes:

the BIOS reads an image of the firmware from an expansion read-onlymemory ROM of the PCIE device.

In a possible implementation, the firmware includes signature data.Before the BIOS obtains the image of the firmware from the expansionread-only memory ROM of the PCIE device, the method further includes:

the BIOS reads an image type of the image from the read-only ROM and acertificate type of the signature data, where the image type is used toindicate a code type of the image, and the certificate type is used toindicate an encryption algorithm for calculating the signature data.

In a possible implementation, the firmware includes firmware code andsignature data of the firmware code.

That an input/output system BIOS of the computer device obtains firmwareof the PCIE device includes:

the BIOS obtains the signature data of the firmware code from a driverof the PCIE device; and the BIOS reads the firmware code from the PCIEdevice.

In a possible implementation, that the BIOS reads the firmware code fromthe PCIE device includes:

the BIOS reads an image of the firmware code from an expansion ROM ofthe PCIE device.

In a possible implementation, before the BIOS reads the image of thefirmware code from the expansion ROM of the PCIE device, the methodfurther includes:

the BIOS reads an image type of the image from the expansion ROM and acertificate type of the signature data, where the image type is used toindicate a code type of the image, and the certificate type is used toindicate an encryption algorithm for calculating the signature data.

In a possible implementation, that the BIOS obtains the signature dataof the firmware code from a driver of the PCIE device includes:

the BIOS reads an image of the driver from an expansion ROM of the PCIEdevice; and

the BIOS obtains the signature data of the firmware code from the imageof the driver.

In a possible implementation, before the BIOS attempts to verify thefirmware, the method further includes:

the BIOS attempts to verify the driver; and if the verification for thedriver succeeds, the BIOS performs the step of reading the firmware codefrom the PCIE device.

In a possible implementation, the BIOS stores a public key of the PCIEdevice, and the public key is used to attempt to verify the firmware.

In a possible implementation, the method further includes:

the BIOS modifies the stored public key of the PCIE device based on apublic key modification instruction.

According to a second aspect, a PCIE device startup apparatus isprovided, and is configured to execute the foregoing PCIE device startupmethod. Specifically, the PCIE device startup apparatus includes afunction module configured to perform the PCIE device startup methodprovided in any one of the first aspect or the optional implementationsof the first aspect.

According to a third aspect, a computer readable storage medium isprovided. The storage medium stores at least one piece of program code,and the program code is loaded and executed by a processor to implementoperations performed in the PCIE device startup method.

According to a fourth aspect, a computer program product or a computerprogram is provided. The computer program product or computer programincludes a computer instruction. The computer instruction is stored in acomputer readable storage medium. A processor of a computer device readsthe computer instruction from the computer readable storage medium. Theprocessor executes the computer instruction, so that the computer deviceperforms the method provided in the first aspect or the optionalimplementations of the first aspect.

According to a fifth aspect, a computer device is provided. The computerdevice includes a processor and a memory. The memory stores at least onepiece of program code. The program code is loaded by the processor, sothat the computer device implements the method provided in any one ofthe first aspect or the optional implementations in the first aspect.

BRIEF DESCRIPTION OF DRAWINGS

To describe the technical solutions in embodiments of this applicationmore clearly, the following briefly describes the accompanying drawingsfor embodiments. It is clear that the accompanying drawings in thefollowing description show merely some embodiments of this application,and a person of ordinary skill in the art may still derive otherdrawings from these accompanying drawings without creative efforts.

FIG. 1 is a schematic diagram of a structure of a computer deviceaccording to an embodiment of this application;

FIG. 2 is a schematic diagram of a structure of a computer deviceaccording to an embodiment of this application;

FIG. 3 is a flowchart of a PCIE device startup method according to anembodiment of this application;

FIG. 4 is a schematic diagram of space of an expansion ROM according toan embodiment of this application;

FIG. 5 is a schematic diagram of startup of a PCIE device according toan embodiment of this application;

FIG. 6 is a flowchart of another PCIE device startup method according toan embodiment of this application;

FIG. 7 is another schematic diagram of startup of a PCIE deviceaccording to an embodiment of this application;

FIG. 8 is a flowchart of a PCIE device startup method according to anembodiment of this application; and

FIG. 9 is a schematic diagram of a structure of a PCIE device startupapparatus according to an embodiment of this application.

DESCRIPTION OF EMBODIMENTS

To make objectives, technical solutions, and advantages of thisapplication clearer, the following further describes implementations ofthis application in detail with reference to the accompanying drawings.

FIG. 1 is a schematic diagram of a structure of a computer deviceaccording to an embodiment of this application. As shown in FIG. 1 , thecomputer device 100 includes a plurality of peripheral componentinterconnect express (PCIE) devices 101. The PCIE devices 101 eachinclude a network interface card, a disk array (redundant arrays ofindependent disks, RAID) card, a graphics card, a peripheral componentinterconnect express (peripheral component interconnect Express, PCIe)solid state drive (SSD) card, an accelerator card, and the like. ThePCIE device 101 is not specifically limited in this embodiment of thisapplication.

Each PCIE device 101 includes a driver (driver) 1011 and firmware(firmware) 1012, where the driver 1011 is a driver program of the PCIEdevice and can be invoked by a BIOS running in the computer device 100,so as to implement data exchange between the BIOS and the PCIE device.In an initialization phase, the driver 1011 is further configured toconfigure a parameter for the PCIE device. Optionally, the driver 1011is a unified extensible firmware interface (UEFI) driver. The firmware1012 is configured to implement a function of the PCIE device 101. Forexample, target firmware of the network interface card is configured toimplement functions such as network connection, packet forwarding, andprotocol offloading of the network interface card. Optionally, thefirmware 1012 includes firmware code and signature data of the firmwarecode. The firmware code is code used to implement the function of thePCIE device 101. The signature data is a digital signature of thefirmware code and is used to determine whether the firmware code istampered with, that is, the signature data is used to ensure integrityof the firmware code. In another possible implementation, the firmware1012 does not include signature data of the firmware code, and thesignature data of the firmware code is stored in the driver 1011. Inthis case, the firmware code may be considered as the firmware 1012.

The BIOS runs in the computer device 100. The BIOS is configured toobtain the firmware 1012 of the PCIE device 101, and attempt to verifythe obtained firmware 1012. If the verification for the firmware 1012succeeds, the BIOS starts up the PCIE device 101 where the firmware 1012is located; otherwise, the BIOS skips starting up the PCIE device 101where the firmware 1012 is located. A manner in which the BIOS obtainsthe firmware 1012 of the PCIE device 101 includes a manner 1 and amanner 2. The manner 1 is: the BIOS reads, from the PCIE device 101, thefirmware 1012 including the signature data and the firmware code. Themanner 2 is: the BIOS reads the driver 1011 from the PCIE device 101,obtains the signature data of the firmware code from the read driver1011, and reads the firmware code from the PCIE device.

Optionally, the BIOS stores public keys of the plurality of PCIE devices101. Each public key is corresponding to a target identifier of a PCIEdevice, and a public key is used to attempt to verify firmware of a PCIEdevice indicated by a corresponding target identifier. One targetidentifier is used to indicate one PCIE device. The target identifier isa device identifier of the PCIE device, or a slot identifier of a slotwhere the PCIE device is located. Optionally, when the BIOS receives apublic key modification instruction, the BIOS modifies the stored publickey of the PCIE device based on the public key modification instruction.The public key modification instruction includes at least one targetpublic key and a target identifier corresponding to each target publickey. For any target identifier corresponding to any target public key inthe at least one target public key, the BIOS modifies the stored publickey corresponding to the any target identifier to the any target publickey. Optionally, the BIOS further stores BIOS firmware, and the BIOSfirmware is code used to implement a BIOS function. Optionally, the BIOSis a UEFI BIOS.

The computer device 100 further includes a processor 102. The BIOS mayrun on a random access memory (RAM) or a read-only memory (ROM) of theprocessor 102. The processor 102 is connected to the PCIE device 101through a target communication interface, so that the BIOS can performsignaling interaction with the PCIE device through the targetcommunication interface. The target communication interface is a PCIEinterface. The processor 102 includes a central processing unit (CPU), agraphics processing unit (GPU), an artificial intelligence (AI)processor, and the like. The processor 102 is not specifically limitedin this embodiment of this application.

It should be noted that, in some embodiments, a driver and firmware in aPCIE device are separated, that is, the driver and firmware of the PCIEdevice are two separate parts, such as the PCIE device 101 shown in FIG.1 . However, in some other embodiments, a driver of a PCIE device islocated in firmware, that is, the firmware includes the driver, firmwarecode, and signature data of the firmware code.

FIG. 2 is a schematic diagram of a structure of a computer deviceaccording to an embodiment of this application. A computer device 200may differ greatly due to different configurations or performance, andincludes one or more processors 201 and one or more memories 202. Thecomputer device 200 further includes one or more PCIE devices 203. Thememory 202 stores at least one piece of program code. The at least onepiece of program code is loaded and executed by the processor 201 toimplement PCIE device startup methods provided in the following methodembodiments. Certainly, the computer device 200 may further havecomponents such as a wired or wireless network interface and aninput/output interface, to perform input/output. The computer device 200may further include other components configured to implement a devicefunction. Details are not described herein.

In an example embodiment, a computer readable storage medium is furtherprovided, such as a memory including program code. The program code maybe executed by a processor in a computer device to complete a PCIEdevice startup method according to the following embodiment. Forexample, the computer readable storage medium may be a ROM, a RAM, aCD-ROM (CD-ROM), magnetic tape, a floppy disk, an optical data storagedevice, or the like.

To further describe a process in which the BIOS obtains the firmware ofthe PCIE device in the manner 1, attempts to verify the obtainedfirmware, and determines, based on a verification result, whether tostart up the PCIE device, a flowchart of a PCIE device startup methodaccording to an embodiment of this application is shown in FIG. 3 . Themethod is applied to a computer device including a PCIE device.

301. The PCIE device stores firmware and a driver of the PCIE device.

The PCIE device is any PCIE device, and the firmware includes firmwarecode and signature data. The driver includes target driver code andtarget signature data. The driver code is code for implementing a driverfunction, and the target signature data is a digital signature of thedriver code, and is used to ensure integrity of the driver code.

In a possible implementation, the PCIE device obtains the firmware anddriver of the PCIE device, and stores the obtained firmware and drivereach as a ROM image (image) in an expansion (expansion) ROM of the PCIEdevice. The expansion ROM includes as many code images (that is, ROMimages) as required by different systems and processor architectures.For example, FIG. 4 is a schematic diagram of space of an expansion ROMaccording to an embodiment of this application. The expansion ROM storesN+1 ROM images, which are respectively an image 0 to an image N. EachROM image corresponds to one expansion ROM header (header) and oneperipheral component interconnect (peripheral component interconnect,PCI) data structure, where N is an integer greater than 0. The expansionROM header and the PCI data structure are used to store informationrequired by a corresponding ROM image. The expansion ROM header is usedto store a ROM signature and a pointer pointing to the PCI datastructure. The PCI data structure includes a pointer (pointer) field, alength field, an image type field, a certificate type (certificate type)field, and another field. The pointer field is used to store a devicelist pointer (device list pointer) to indicate a device supported by theexpansion ROM. The length field is used to store the length of the PCIdata structure and the length of a ROM image corresponding to the PCIdata structure. The image type field is used to indicate a code type ofthe image, such as, a driver type or a firmware type. The certificatetype field is used to store a type of an encryption algorithm forcalculating the signature data.

Optionally, a process in which the PCIE device obtains the firmware is:the PCIE device calculates the firmware code based on a first digestcalculation algorithm, to obtain first digest data of the firmware code,and encrypts the first digest data based on a private key of the PCIEdevice and a first encryption algorithm, to obtain signature data of thefirmware code. The PCIE device combines the firmware code and thesignature data into firmware. Optionally, a process in which the PCIEdevice obtains the driver is: the PCIE device calculates the driver codebased on a second digest calculation algorithm to obtain second digestdata of the driver code, and encrypts, based on the private key of thePCIE device and a second encryption algorithm, the second digest data toobtain target signature data. The PCIE device combines the driver codeand the target signature data into the driver.

The first digest calculation algorithm is an algorithm that isnegotiated by the PCIE device and the BIOS and used to calculate thefirst digest data. The second digest calculation algorithm is analgorithm that is negotiated by the PCIE device and the BIOS and used tocalculate the second digest data. The first/second digest calculationalgorithm includes a hash algorithm, a message digest (MD) algorithm, asecure hash algorithm (SHA), a message authentication code (MAC)algorithm, and another digest calculation algorithm. The first/seconddigest calculation algorithm is not specifically limited in thisembodiment of this application. The first encryption algorithm is anencryption algorithm that is negotiated by the PCIE device and the BIOSand used to encrypt the first digest data. The second encryptionalgorithm is an encryption algorithm that is negotiated by the PCIEdevice and the BIOS and used to encrypt the second digest data. Thefirst/second encryption algorithm includes a digital signature algorithm(DSA), an elliptic curve digital signature algorithm (ECDSA), or an RSAencryption algorithm proposed by Ronald Linn Rivest (Ron Rivest), AdiShamir (Adi Shamir), and Leonard Adleman (Leonard Adleman). Thefirst/second encryption algorithm is not specifically limited in thisembodiment of this application. An inverse algorithm of the firstencryption algorithm is a first decryption algorithm. The firstdecryption algorithm is used to decrypt the signature data of thefirmware code to obtain decrypted data that may be denoted as firstdecrypted data. An inverse algorithm of the second encryption algorithmis a second decryption algorithm, and is used to decrypt the targetsignature data of the driver code to obtain decrypted data that isdenoted as second decrypted data.

Optionally, a process in which the PCIE device combines the firmwarecode and the signature data into firmware is: the PCIE device stores thesignature data in a first target location of the firmware code to obtainthe firmware. Optionally, a process in which the PCIE device combinesthe driver code and the target signature data into a driver is: the PCIEdevice stores the target signature data in a second target location ofthe driver code to obtain the driver. The first target location is alocation that is negotiated by the PCIE device and the BIOS and is inthe firmware code to store the signature data. Optionally, the firsttarget location is any location in the firmware code, for example, aheader, a certain middle location, or a tail of the firmware code. Thesecond target location is a location that negotiated by the PCIE deviceand the BIOS and is in the driver code to store the target signaturedata. Optionally, the second target location is any location in thedriver code, for example, a header, a certain middle location, or a tailof the driver code. The first/second target location is not specificallylimited in this embodiment of this application.

After obtaining the firmware, the PCIE device stores the firmware as aROM image in the expansion ROM, and configures an expansion ROM headerand a PCI data structure that are corresponding to the image of thefirmware. The expansion ROM header is used to store a pointer of the PCIdata structure. The PCI data structure includes a pointer field, alength field, an image type field, a certificate type field, and thelike. The pointer field is used to indicate a device supported by theexpansion ROM. The length field is used to store the length of the PCIdata structure and the length of the image. The image type field is usedto store an image type of the image, and the image type is used toindicate a code type of the image. The certificate type field is used tostore the certificate type of the data signature of the image. Thecertificate type is used to indicate the encryption algorithm forcalculating the signature data. For example, the image N in FIG. 4 is animage of the firmware. The PCIE device configures, in an expansion ROMheader corresponding to the image N, a pointer of a PCI data structurecorresponding to the image N. For the PCI data structure correspondingto the image N, the PCIE device stores the length of the PCI datastructure and the length of the firmware in the length field, stores thecode type of the firmware code in the image type field, and stores thetype of the first encryption algorithm in the certificate type field.

After obtaining the driver, the PCIE device stores the driver as anotherROM image in the expansion ROM, and configures an expansion ROM headerand a PCI data structure that are corresponding to the image of thedriver. For example, the image 0 in FIG. 4 is an image of the driver.The PCIE device configures, in an expansion ROM header corresponding tothe image 0, a pointer of a PCI data structure corresponding to theimage 0. For the pointer of the PCI data structure corresponding to theimage 0, the PCIE device stores the length of the PCI data structure andthe length of the driver in the length field, stores the code type ofthe driver code in the image type field, and stores the type of thesecond encryption algorithm in the certificate type field.

It should be noted that the image of the firmware stored in theexpansion ROM may be located after the image of the driver. For example,the image of the firmware is a subsequent image of the image of thedriver, or the image of the firmware is the last image stored in theexpansion ROM. After the PCIE device stores all the images in theexpansion ROM, the PCIE device stores a start address of the expansionROM in an expansion ROM base address field in base address register(BAR) space of the PCIE device, so that the BIOS of the computer devicecan subsequently read the start address of the expansion ROM from theexpansion ROM base address field.

302. The BIOS reads the driver of the PCIE device from the PCIE device.

After the computer device is powered on or reset, the BIOS starts torun. The BIOS enumerates each PCIE device installed on the computerdevice. After the BIOS enumerates the PCIE device, the BIOS reads thedriver of the PCIE device from the PCIE device.

The BIOS may read the image of the driver in an expansion read-onlymemory ROM of the PCIE device, so that the driver of the PCIE device isread from the PCIE device. In a possible implementation, the BIOSaccesses the expansion ROM base address field in the BAR space of thePCIE device through a target communication interface. The BIOS reads thestart address of the expansion ROM of the PCIE device from the expansionROM base address field, and accesses the expansion ROM based on thestart address of the expansion ROM. For any image stored in theexpansion ROM, the BIOS may read an image type of the any image from animage type field of a PCI data structure corresponding to the any image.If the read image type is a code type of the driver code, the any imageis an image of the driver. When the any image is the image of thedriver, the BIOS may further read a certificate type of the targetsignature data from a certificate type field of the PCI data structurecorresponding to the any image. Therefore, based on the secondencryption algorithm indicated by the certificate type, the inversealgorithm of the second encryption algorithm is determined as a seconddecryption algorithm. The BIOS may further read the image of the driverof the PCIE device from the expansion ROM. If the read image type is notthe code type of the driver code, the BIOS reads an image type of a nextimage of the any image until the image of the driver is obtained. Stillbased on FIG. 4 , the BIOS reads the image 0 (that is, the driver) fromthe expansion ROM.

303. The BIOS attempts to verify the read driver.

The BIOS attempts to verify the driver based on the stored public key ofthe PCIE device.

In a possible implementation, the BIOS obtains the target signature dataof the driver code from the second target location of the driver code ofthe driver, and decrypts the target signature data based on the publickey of the PCIE device and the second decryption algorithm, to obtainthe second decrypted data. The BIOS calculates the driver code based onthe second digest calculation algorithm to obtain the second digest dataof the driver code. If the obtained second digest data is the same asthe second decrypted data, it indicates that the driver code in thedriver is not tampered with and that the driver code is integral, theverification for the driver succeeds. If the obtained second digest datais different from the second decrypted data, it indicates that thedriver code has been tampered with and that the driver code is notintegral, the verification for the driver fails.

304. If the verification for the driver succeeds, the BIOS reads thefirmware of the PCIE device from the PCIE device.

The BIOS may read the image of the firmware from the expansion read-onlymemory ROM of the PCIE device, so that the firmware is read from thePCIE device. In a possible implementation, the BIOS accesses theexpansion ROM based on the start address of the expansion ROM throughthe target communication interface. For any image stored in theexpansion ROM, the BIOS may read an image type of the any image from theimage type field of a PCI data structure corresponding to the any image.If the read image type is a code type of the firmware code, the anyimage is an image of the firmware. When the any image is the image ofthe firmware, the BIOS may further read a certificate type of thesignature data of the firmware code from the certificate type field ofthe PCI data structure corresponding to the any image (that is, aprocess in which the BIOS reads, from the expansion ROM, the image typeof the image of the firmware and the certificate type of the signaturedata), so that the BIOS may further determine, based on the firstencryption algorithm indicated by the certificate type, that the inversealgorithm of the first encryption algorithm is the first decryptionalgorithm, and the BIOS reads the image of the firmware from theexpansion ROM. If the read image type is not the code type of thefirmware code, the BIOS reads an image type of the next image of the anyimage until the image of the firmware is obtained. In this case, theimage of the firmware read by the BIOS includes the firmware code andthe signature data of the firmware code. Still based on FIG. 4 , theBIOS reads the image N (that is, the firmware) from the expansion ROM.

In a possible implementation, if the verification for the driver fails,the driver may bring a security risk to the computer device, and theBIOS jumps to perform step 307, that is, the BIOS skips starting up thePCIE device.

305. The BIOS attempts to verify the read firmware.

The BIOS attempts to verify the firmware based on the stored public keyof the PCIE device.

In a possible implementation, the BIOS obtains the signature data of thefirmware code from the first target location of the firmware code in thefirmware, and decrypts the signature data based on the public key of thePCIE device and the first decryption algorithm, to obtain the firstdecrypted data. The BIOS calculates the firmware code based on the firstdigest calculation algorithm, to obtain the first digest data of thefirmware code. If the obtained first digest data is the same as thefirst decrypted data, it indicates that the firmware code is nottampered with and that the firmware code is integral, the verificationfor the firmware succeeds. If the obtained first digest data isdifferent from the first decrypted data, it indicates that the firmwarecode has been tampered with and that the firmware code is not integral,the verification for the firmware fails.

306. If the verification for the firmware succeeds, the BIOS starts upthe PCIE device.

If the verification for the firmware succeeds, the firmware does notbring a security risk to the computer device, and the BIOS starts up thePCIE device.

In a possible implementation, a process in which the BIOS starts up thePCIE device is: the BIOS configures the PCIE device, for example, theBIOS allocates a PCI resource to the PCIE device, so that the PCIEdevice is visible to an operating system (OS) in the computer device.The PCI resource includes a bus device function (BDF) and memory space.

It should be noted that the PCIE device has been powered on before theBIOS starts up the PCIE device. Therefore, the PCIE device may interactwith the BIOS. Therefore, starting up the PCIE device in this embodimentof this application does not mean that the PCIE device is powered onand/or the PCIE device interacts with the processing chip, but meansthat the PCIE device is normally configured, so that the normallyconfigured PCIE device may work completely normally.

307. If the verification for the firmware fails, the BIOS skips startingup the PCIE device.

If the verification for the firmware fails, after the PCIE device isstarted up, the firmware may bring a security risk to the computerdevice, and the BIOS thus skips starting up the PCIE device.

The BIOS may skip starting up the PCIE device by blocking the PCIEdevice, so that the operating system in the computer device is invisibleto the PCIE device that is not started up. In a possible implementation,a process in which the BIOS blocks the PCIE device is: the BIOS controlsthe PCIE device to be in the reset state or power-off state; or the BIOSmarks the PCIE device as a startup disabled state, where the startupdisabled state is used to indicate to skip starting up the PCIE device,so that a PCIE device with a security risk is completely blocked.Optionally, the BIOS controls a hardware circuit in the computer deviceto output a PCIE reset (reset) signal, so that the PCIE device is in thereset state. Optionally, when the computer device supports hot swap ofthe PCIE device, a power supply circuit of the PCIE device is controlledby a target controller, and the BIOS sends to the target controller apower-off instruction for powering off the PCIE device. After the targetcontroller receives the power-off instruction, the target controllercontrols the power supply circuit of the PCIE device, so that the PCIEdevice is powered off. Optionally, the BIOS may store a targetidentifier of the PCIE device and a state identifier of the startupdisabled state in an associated manner, so that the PCIE device ismarked as the startup disabled state.

To further describe the process shown in steps 302 to 307, refer to aschematic diagram of startup of a PCIE device according to an embodimentof this application as shown in FIG. 5 . In FIG. 5 , signature data offirmware code is signature data 1, and target signature data of drivercode is signature data 2. A BIOS reads, from a PCIE device, a driverincluding the driver code and the signature data 2. The BIOS attempts toverify, based on a stored public key of the PCIE device and thesignature data 2 in the driver, whether the driver code is integral. Ifthe driver code is integral, the BIOS continues to read, from the PCIEdevice, firmware including the firmware code and the signature data 1.The BIOS attempts to verify, based on the stored public key of the PCIEdevice and the signature data 1 in the firmware, whether the firmwarecode is integral. If the firmware code is integral, the PCIE device isstarted up; otherwise, the PCIE device is not started up.

According to the method provided in this embodiment of this application,the BIOS attempts to verify the firmware of the PCIE device, todetermine whether the firmware of the PCIE device is tampered with, andthe BIOS may start up only a PCIE device where the firmware thatsucceeds in the verification is located. In this way, the computerdevice is prevented from starting up a PCIE device of which the firmwareis tampered with, and a security risk caused by the PCIE device to thecomputer device is reduced. In addition, the BIOS attempts to verify thePCIE device, and further attempts to verify the driver of the PCIEdevice. As long as either of the firmware and the driver fails to beverified, the BIOS skips starting up the PCIE device. In this way, thecomputer device is prevented from starting up a PCIE device of which thefirmware is tampered with, and a security risk caused by the PCIE deviceto the computer device is further reduced. In addition, the BIOScontrols the PCIE device where the firmware that fails in theverification is located to be in a reset state or a power-off state, ormarks the PCIE device where the firmware that fails in the verificationis located as a startup disabled state. In this way, the PCIE devicewith a security risk is completely blocked.

To further describe a process in which a BIOS obtains the firmware ofthe PCIE device in the manner 2, attempts to verify the obtainedfirmware, and determines, based on a verification result, whether tostart up the PCIE device, refer to a flowchart of another PCIE devicestartup method according to an embodiment of this application as shownin FIG. 6 . The method is applied to a computer device including a PCIEdevice.

601. A PCIE device stores firmware and a driver of the PCIE device.

In the embodiment shown in FIG. 6 , the firmware is actually firmwarecode, and the driver includes driver code, target signature data of thedriver code, and signature data of the firmware code. For example, inanother schematic diagram of startup of a PCIE device according to anembodiment of this application shown in FIG. 7 , firmware is firmwarecode, target signature data included in a driver is signature data 2,and signature data of the firmware code is signature data 1.

In a possible implementation, the PCIE device obtains the firmware anddriver of the PCIE device, and stores the obtained firmware and drivereach in an expansion ROM of the PCIE device as a ROM image.

Optionally, a process in which the PCIE device obtains the firmware anddriver of the PCIE device is: the PCIE device obtains the firmware codeand the driver code, and obtains the signature data of the firmware codeand the target signature data of the driver code. The PCIE device storesthe signature data of the firmware code in a third target location ofthe driver code, and stores the target signature data in a second targetlocation of the driver code, to obtain the driver. The third targetlocation is a location that is negotiated by the PCIE device and theBIOS and is in the driver code to store the signature data of thefirmware code. Optionally, the third target location is any locationexcept the second target location in the driver code. The third targetlocation is not specifically limited in this embodiment of thisapplication.

It should be noted that related descriptions are made in step 301 for aprocess in which the PCIE device obtains the signature data of thefirmware code and the target signature data of the driver code. Herein,a process in which the PCIE device obtains the signature data of thefirmware code and the target signature data of the driver code is notdescribed in detail again in this embodiment of this application. For aprocess in which the PCIE device stores the obtained firmware and drivereach in the expansion ROM of the PCIE device as a ROM image, relateddescriptions are made in step 301. Herein, the process in which the PCIEdevice stores the obtained firmware and driver each in the expansion ROMof the PCIE device as a ROM image is not described in detail again inthis embodiment of this application.

It should be noted that in this case, the firmware includes only thefirmware code, and signature data of the firmware code is stored in thedriver. In this case, a certificate type of the signature data of thefirmware code may be stored in a certificate type field in a PCI datastructure corresponding to an image of the firmware or a certificatetype field in a PCI data structure corresponding to an image of thedriver.

602. The BIOS reads a driver of the PCIE device from the PCIE device,where the driver includes the signature data.

The process shown in step 602 is similar to that shown in step 302. Theprocess shown in step 602 is not described in detail herein again inthis embodiment of this application.

603. The BIOS attempts to verify the read driver.

The process shown in step 603 is similar to that shown in step 303. Theprocess shown in step 603 is not described in detail herein again inthis embodiment of this application.

Still based on FIG. 7 , the BIOS decrypts the signature data 2 based onthe public key of the PCIE device and the second decryption algorithm,to obtain second decrypted data. The BIOS calculates the driver codebased on a second digest calculation algorithm, to obtain second digestdata of the driver code. If the obtained second digest data is the sameas the second decrypted data, the verification for the driver succeeds;otherwise, the verification for the driver fails.

604. If the verification for the driver succeeds, the BIOS obtains thesignature data from the read driver.

The BIOS may obtain the signature data of the firmware code from theimage of the driver. In a possible implementation, the BIOS obtains thesignature data from the third target location of the driver code in theimage of the driver.

It should be noted that the processes shown in steps 602 and 604 are aprocess in which the BIOS obtains the signature data of the firmwarecode from the driver of the PCIE device.

605. The BIOS reads the firmware code from the PCIE device.

The BIOS may read the image of the firmware code from the expansion ROMof the PCIE device, so that the firmware code is read from the PCIEdevice. A process in which the BIOS reads the image of the firmware codefrom the expansion ROM of the PCIE device is similar to the process inwhich the BIOS reads the image of the firmware of the PCIE device instep 304. Herein, the process in which the BIOS reads the image of thefirmware code from the expansion ROM of the PCIE device is not describedin detail again in this embodiment of this application.

After the BIOS reads the firmware code, the BIOS determines thesignature data and the firmware code as the firmware. It should be notedthat the processes shown in the foregoing steps 602, 604, and 605 are aprocess in which the input/output system BIOS of the computer deviceobtains the firmware of the PCIE device.

606. The BIOS attempts to verify the firmware code based on thesignature data.

The BIOS decrypts the signature data based on the public key of the PCIEdevice and the first decryption algorithm, to obtain first decrypteddata. The BIOS calculates the firmware code based on a first digestcalculation algorithm, to obtain first digest data of the firmware code.If the obtained first digest data is the same as the first decrypteddata, it indicates that the firmware code is not tampered with and thatthe firmware code is integral, the verification for the firmwaresucceeds. If the obtained first digest data is different from the firstdecrypted data, it indicates that the firmware code has been tamperedwith and that the firmware code is not integral, the verification forthe firmware fails.

Still based on FIG. 7 , the BIOS decrypts the signature data 1 based onthe public key of the PCIE device and the first decryption algorithm, toobtain the first decrypted data. The BIOS calculates the firmware codebased on the first digest calculation algorithm, to obtain the firstdigest data of the firmware code. If the obtained first digest data isthe same as the first decrypted data, the verification for the firmwarecode succeeds; otherwise, the verification for the firmware code fails.

607. If the verification for the firmware code succeeds, the BIOS startsup the PCIE device.

The process shown in step 607 is similar to the process shown in step306. Herein, the process shown in step 607 is not described in detailagain in this embodiment of this application.

608. If the verification for the firmware code fails, the BIOS skipsstarting up the PCIE device.

The process shown in step 608 is similar to the process shown in step307. Herein, the process shown in step 608 is not described in detailagain in this embodiment of this application.

According to the method provided in this embodiment of this application,the BIOS attempts to verify the firmware of the PCIE device, todetermine whether the firmware of the PCIE device is tampered with, andthe BIOS may start up only a PCIE device where the firmware thatsucceeds in the verification is located. In this way, the computerdevice is prevented from starting up a PCIE device of which the firmwareis tampered with, and a security risk caused by the PCIE device to thecomputer device is reduced. In addition, the BIOS attempts to verify thePICE device, and further attempts to verify the driver of the PCIEdevice. As long as either of the firmware and the driver fails to beverified, the BIOS skips starting up the PCIE device. In this way, thecomputer device is prevented from starting up a PCIE device of which thefirmware is tampered with, and a security risk caused by the PCIE deviceto the computer device is further reduced. In addition, the BIOScontrols the PCIE device where the firmware that fails in theverification is located to be in a reset state or a power-off state, ormarks the PCIE device where the firmware that fails in the verificationis located as a startup disabled state. In this way, the PCIE devicewith a security risk is completely blocked.

To further comprehensively describe the processes shown in FIG. 3 andFIG. 6 , refer to a flowchart of a PCIE device startup method accordingto an embodiment of this application as shown in FIG. 8 . A computerdevice is powered on or reset. Firmware of a BIOS of the computer deviceruns. The BIOS enumerates each PCIE device in the computer device. Everytime any PCIE device is enumerated, the BIOS attempts to verify a driverof the PCIE device and runs a verified driver. The BIOS loads thefirmware of the PCIE device. The BIOS performs verification on theloaded firmware. If the verification succeeds, the BIOS normallyconfigures the PCIE device, so that the PCIE device is visible to an OSof the computer device; otherwise, the BIOS blocks the PCIE device. Whenthe BIOS has loaded all verified PCIE devices in the computer device,the BIOS loads the OS.

It should be noted that “tampered with” mentioned in this applicationincludes a plurality of cases such as malicious tampering, unintentionalmodification, non-integrity of firmware, firmware damage, anincrease/decrease in a code amount of firmware code, or modification ofcontent of firmware code. When the first digest data calculated by theBISO based on the obtained firmware code is different from the firstdecrypted data calculated by the BIOS based on the obtained signaturedata, it indicates that the firmware obtained by the BIOS has beentampered with.

FIG. 9 is a schematic diagram of a structure of a PCIE device startupapparatus according to an embodiment of this application. The apparatus900 includes a PCIE device 901. The apparatus 900 includes:

an obtaining module 902, configured to be used by an input/output systemBIOS to obtain firmware of the PCIE device;

a verification module 903, configured to be used by the BIOS to attemptto verify the firmware; and

a control module 904, configured to be used by the BIOS to start up thePCIE device if the verification for the firmware succeeds.

Optionally, the control module 904 is further configured to:

skip, by the BIOS, starting up the PCIE device if the verification forfirmware fails.

Optionally, the control module 904 is further configured to:

control, by the BIOS, the PCIE device to be in a reset state or apower-off state; or mark, by the BIOS, the PCIE device as a startupdisabled state, where the startup disabled state is used to indicate toskip starting up the PCIE device.

Optionally, the obtaining module 902 is configured to:

read, by the BIOS, an image of the firmware from an expansion read-onlymemory ROM of the PCIE device.

Optionally, the firmware includes signature data. The obtaining moduleis further configured to:

read, by the BIOS, an image type of the image and a certificate type ofthe signature data from the read-only ROM, where the image type is usedto indicate a code type of the image, and the certificate type is usedto indicate an encryption algorithm for calculating the signature data.

Optionally, the firmware includes firmware code and signature data ofthe firmware code. The obtaining module includes:

an obtaining unit, configured to be used by the BIOS to obtain thesignature data of the firmware code from a driver of the PCIE device;and

a reading unit, configured to be used by the BIOS to read the firmwarecode from the PCIE device.

Optionally, the reading unit is configured to:

read, by the BIOS, an image of the firmware code from an expansion ROMof the PCIE device.

Optionally, the reading unit is further configured to:

read, by the BIOS, an image type of the image and a certificate type ofthe signature data from the expansion ROM, where the image type is usedto indicate a code type of the image, and the certificate type is usedto indicate an encryption algorithm for calculating the signature data.

Optionally, the obtaining unit is configured to:

read, by the BIOS, an image of the driver from an expansion ROM of thePCIE device; and

obtain, by the BIOS, the signature data of the firmware code from theimage of the driver.

Optionally, the verification module 903 is further configured to:

attempt, by the BIOS, to verify the driver; and

perform, by the BIOS, the step of reading the firmware code from thePCIE device if the verification for the driver succeeds.

Optionally, the BIOS stores the public key of the PCIE device, and thepublic key is used to attempt to verify the firmware.

Optionally, the apparatus 900 further includes:

a modification module, configured to be used by the BIOS to modify thestored public key of the PCIE device based on a public key modificationinstruction.

All of the foregoing technical solutions may form optional embodimentsof this disclosure through any combination. Details are not describedherein again.

It should be noted that, when the PCIE device startup apparatus providedin the foregoing embodiment starts up a PCIE device, division of theforegoing functional modules is merely used as an example fordescription. In an actual application, the foregoing functions may beallocated to different functional modules for implementation accordingto a requirement, that is, an internal structure of the apparatus isdivided into different functional modules, so that all or some of thefunctions described above is implemented. In addition, the embodimentsof the PCIE device startup method provided in the foregoing embodimentspertain to a same concept. For a specific implementation process, referto the method embodiments, and details are not described herein again.

Embodiments of this application further provide a computer programproduct or a computer program. The computer program product or thecomputer program includes a computer instruction. The computerinstruction is stored in a computer readable storage medium. A processorof a computer device reads the computer instruction from the computerreadable storage medium, and the processor executes the computerinstruction, so that the computer device performs the foregoing PCIEdevice startup method.

A person of ordinary skill in the art may understand that all or some ofthe steps of the foregoing embodiments may be implemented by hardware ora program instructing related hardware. The program may be stored in acomputer readable storage medium. The storage medium may be a read-onlymemory, a magnetic disk, a compact disc, or the like.

The foregoing description is merely optional embodiments of thisapplication, but is not intended to limit this application. Anymodification, equivalent replacement, or improvement made withoutdeparting from the spirit and principle of this application should fallwithin the protection scope of this application.

What is claimed is:
 1. A peripheral component interconnect express(PCIE) device startup method, applied to a computer device comprising aPCIE device, wherein the method comprises: obtaining, by a basicinput/output system (BIOS) of the computer device, firmware of the PCIEdevice; verifying, by the BIOS, the firmware; and starting up, by theBIOS based on the verified result, the PCIE device if the verificationfor the firmware succeeds.
 2. The method according to claim 1, whereinthe method further comprises: skipping, by the BIOS, starting up thePCIE device if the verification for the firmware fails.
 3. The methodaccording to claim 2, wherein the skipping, by the BIOS, starting up thePCIE device comprises: controlling, by the BIOS, the PCIE device to bein a reset state or a power-off state; or marking, by the BIOS, the PCIEdevice as a startup disabled state, wherein the startup disabled stateis used to indicate to skip starting up the PCIE device.
 4. The methodaccording to claim 1, wherein the obtaining, by a basic input/outputsystem BIOS of the computer device, firmware of the PCIE devicecomprises: reading, by the BIOS, an image of the firmware from anexpansion read-only memory ROM of the PCIE device.
 5. The methodaccording to claim 4, wherein the firmware comprises signature data, andbefore the reading, by the BIOS, an image of the firmware from anexpansion read-only memory ROM of the PCIE device, the method furthercomprises: reading, by the BIOS, an image type of the image and acertificate type of the signature data from the read-only ROM, whereinthe image type is used to indicate a code type of the image, and thecertificate type is used to indicate an encryption algorithm forcalculating the signature data.
 6. The method according to claim 1,wherein the firmware comprises firmware code and signature data of thefirmware code; and the obtaining, by a basic input/output system BIOS ofthe computer device, firmware of the PCIE device comprises: obtaining,by the BIOS, the signature data of the firmware code from a driver ofthe PCIE device; and reading, by the BIOS, the firmware code from thePCIE device.
 7. The method according to claim 6, wherein the reading, bythe BIOS, the firmware code from the PCIE device comprises: reading, bythe BIOS, an image of the firmware code from an expansion ROM of thePCIE device.
 8. The method according to claim 7, wherein before thereading, by the BIOS, an image of the firmware code from an expansionROM of the PCIE device, the method further comprises: reading, by theBIOS, an image type of the image and a certificate type of the signaturedata from the expansion ROM, wherein the image type is used to indicatea code type of the image, and the certificate type is used to indicatean encryption algorithm for calculating the signature data.
 9. Themethod according to claim 6, wherein the obtaining, by the BIOS, thesignature data of the firmware code from a driver of the PCIE devicecomprises: reading, by the BIOS, an image of the driver from theexpansion ROM of the PCIE device; and obtaining, by the BIOS, signaturedata of the firmware code from the image of the driver.
 10. The methodaccording to claim 6, wherein the method further comprises: attempting,by the BIOS, to verify the driver; and if the verification for thedriver succeeds, performing, by the BIOS, the step of reading thefirmware code from the PCIE device.
 11. The method according to claim 1,wherein the BIOS stores a public key of the PCIE device, and the publickey is used to attempt to verify the firmware.
 12. The method accordingto claim 11, wherein the method further comprises: modifying, by theBIOS, the stored public key of the PCIE device based on a public keymodification instruction.
 13. A computer device, wherein the computerdevice comprises basic input/output system (BIOS) and a peripheralcomponent interconnect express (PCIE), wherein BIOS is configured to:obtain firmware of the PCIE device; verify the firmware; and start up,based on the verified result, the PCIE device if the verification forthe firmware succeeds.
 14. The computer device of claim 13, wherein theBIOS is configured to: skip starting up the PCIE device if theverification for the firmware fails.
 15. The computer device of claim14, wherein the BIOS is configured to: control the PCIE device to be ina reset state or a power-off state; or mark the PCIE device as a startupdisabled state, wherein the startup disabled state is used to indicateto skip starting up the PCIE device.
 16. The computer device of claim13, wherein the BIOS is configured to: read an image of the firmwarefrom an expansion read-only memory ROM of the PCIE device.
 17. Thecomputer device of claim 16, wherein the firmware comprises signaturedata and the BIOS is configured to: read an image type of the image anda certificate type of the signature data from the read-only ROM, whereinthe image type is used to indicate a code type of the image, and thecertificate type is used to indicate an encryption algorithm forcalculating the signature data.
 18. The computer device of claim 13,wherein the BIOS is configured to: obtain the signature data of thefirmware code from a driver of the PCIE device; and read the firmwarecode from the PCIE device.
 19. The computer device of claim 18, whereinthe BIOS is configured to: read an image of the firmware code from anexpansion ROM of the PCIE device.
 20. A computer readable storagemedium, wherein the storage medium stores at least one piece of programcode, and the program code is loaded and executed by a basicinput/output system (BIOS) to implement operations performed in theperipheral component interconnect express PCIE device startup method asfowling steps: obtaining firmware of the PCIE device; verifying thefirmware; and starting up, based on the verified result, the PCIE deviceif the verification for the firmware succeeds.